Microsoft Exchange

Parser included in Logmanager can process transport of logs from Microsoft Exchange (version 2010 to 2019), with specific focus on Message tracking record - necessary to observe the SMTP part of email delivery flow.

Message tracking record logs monitor the message activity as mail flows through the transport pipeline on Mailbox servers and Edge Transport servers. You can use message tracking logs for message forensics, mail flow analysis, reporting, and troubleshooting.

In order to process logs from Microsoft Exchange Message tracking correctly, there are four requirements:

1. Check if log creation is enabled in Microsoft Exchange documentation. Some versions create logs by default, some need creation of message tracking record logs to be first enabled in their configuration. Follow Microsoft Exchange documentation.

   Link to Microsoft documentation:

   • Exchange 2019 - https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/configure-message-tracking?view=exchserver-2019
   • Exchange 2016 - https://docs.microsoft.com/en-us/exchange/mail-flow/transport-logs/configure-message-tracking?view=exchserver-2016
   • Exchange 2013 - https://docs.microsoft.com/en-us/exchange/configure-message-tracking-exchange-2013-help
   • Exchange 2010 - https://docs.microsoft.com/cs-cz/samples/browse/?redirectedfrom=TechNet-Gallery

   Record directory, where the log in text files is stored. Suggested approach: Check the content of this directory. If already full of old log files, please backup the existing content to different folder and delete from this directory logs older than 1 month, before proceeding to step 2.

2. Install Logmanager Beats agent on Exchange server.

3. Add agent rule to collect message tracking logs – in Logmanager Sources/Beats agents locate by hostname the server and edit it by clicking on blue pencil icon:

   1. In the Log files – click on green button: + Add.
   2. Select Template – Exchange.
   3. In file path – paste directory where text logs are located followed MSGTRK2*.LOG (to collect only from files of our interest).
   4. Keep tag “exchange” in the Tags field - according to this tag, Logmanager will automatically parse logs in to the correct parser.
   5. Optionally you can add your own tags (comma-separated values).
   6. Click ok and save the agent configuration. If filebeat state is set to auto it will be started automatically once it receives configuration update (unless it’s already running).
   7. Optionally restart the logmanager-orchestrator-service on given host, to speed up agent configuration refresh.

If you delete tag “exchange” from the log files configuration, your data will not be parsed correctly.

Proposed agent configuration in the screenshot below: